CVE-2025-7401
Published: 11 July 2025
Summary
CVE-2025-7401 is a critical-severity Use of Hard-coded Credentials (CWE-798) vulnerability in Codecanyon (inferred from references). Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 16.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and CM-11 (User-installed Software).
Deeper analysis
The Premium Age Verification / Restriction for WordPress plugin for WordPress contains an arbitrary file read and write vulnerability stemming from insufficiently protected remote support functionality in remote_tunnel.php. The flaw affects all versions through 3.0.2 and is tracked as CVE-2025-7401 with a CVSS 3.1 score of 9.8 and CWE-798.
Unauthenticated attackers can exploit the issue remotely without any user interaction to read from or write to arbitrary files on the hosting server, enabling exposure of sensitive data or remote code execution. The EPSS score remains flat at a low 0.0188 with no material increase after disclosure. Public references point to the vendor listing on CodeCanyon and a detailed entry from Wordfence for further technical context.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-21108
Vulnerability details
The Premium Age Verification / Restriction for WordPress plugin for WordPress is vulnerable to arbitrary file read and write due to the existence of an insufficiently protected remote support functionality in remote_tunnel.php in all versions up to, and including, 3.0.2.…
more
This makes it possible for unauthenticated attackers to read from or write to arbitrary files on the affected site's server which may make the exposure of sensitive information or remote code execution possible.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability in public-facing WordPress plugin enables remote unauthenticated arbitrary file read/write (via hard-coded credentials), directly facilitating initial access via T1190 and web shell deployment (T1505.003) for RCE.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Requires timely patching of the vulnerable plugin versions up to 3.0.2 to eliminate the arbitrary file read/write vulnerability in remote_tunnel.php.
Prohibits unauthorized installation of third-party WordPress plugins like Premium Age Verification, preventing deployment of components with unprotected remote support functionality.
Explicitly defines and restricts permitted actions without authentication, preventing unauthenticated arbitrary file read/write via the remote_tunnel.php endpoint.